Re: O365 message tracking logs

tylers · ‎03-05-2020

The Security Essentials documentation (https://docs.splunksecurityessentials.com/data-onboarding-guides/office-365/) states that "The Office365 Reporting Add-on lets you collect Exchange message-tracking logs by querying the Office 365 Reporting web service API and indexing the results.".

Based on my testing and the comments made here in Splunk Answers related to the add-on, it is no longer supported and no longer works to support pulling down message trace logs. Is there a newer recommended way for pulling down these logs?

marcluescher · ‎06-11-2020

We are in the same boat, O365 no longer supports basic authentication for O365 to get those log files.

Having looked at some possible solutions we might write our own TA to get this again working. An alternate solution is to sue a powershell script to dump the log files hourly to a share and import from there.

Happy to share more when interested.

-Marc

mhotsi · ‎03-01-2021

Hello Marc, I would like to know more about the powerscript solution.

adalbor · ‎06-12-2020

Would love to hear more about your proposed solution @marcluescher

We have thought about taking the powershell route too but havent spent much time on it to be honest.

J_lo · ‎02-02-2021

Hi @marcluescher

Any luck going down the Powershell route?

Thanks in advance.

O365 message tracking logs

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...